Authorizing proxy for Windows (+ normal Opera work with NTLM as a bonus)
The following features of my life path led me to writing this topic:
Scattering my things in a new workplace and getting a computer at my disposal, I immediately began to litter it with my usual set of software, which, of course, included Opera.
Not having had time to rejoice in the new and powerful computer that the boss gave me, I found that Opera forces me to enter the proxy login / password for each of the open tabs ...
At first it just surprised me, but when I noticed thateveryone respected and beloved, officially supported by the IT department of our company, Internet Explorer, does not suffer such a disaster.
')
Uncle Google told me a lot of interesting and new things for me then on this topic ... and how long Opera Opera users have been complaining about it for a long time, and how it is elementary to be repaired by installing some kind of “fox” :)
In addition, I realized that there is NTLM authentication, and that Opera is not very friendly with it.
The newly minted colleagues happily advised me not to show off and throw out my "not very popular browser."
BUT. This situation did not suit me, and the desire to change my usual browser somehow did not arise. So I decided to try to find a solution to this annoying problem (of course, in my free time).
Most of the recommendations boiled down to the fact that you need to tick the EnableNTLM checkbox in Opera (opera: config -> Network -> EnableNTLM).
Unfortunately, in my case, the option did not bring me the desired unity with the browser:
I couldn’t find anything more efficient, so I had to try a more radical solution - my own proxy, which will be authorized on the corporate proxy.
Then I found only NTLMAPS .
For a while I used this proxy - in general, it performs its function, but there were some unpleasant moments:
All have probably guessed that there is still a decent and more convenient replacement for NTLMAPS, which I want to tell you about. And her name is CNTLM .
It is this proxy that I have been using at work for the past few years (my Linux-based colleagues also chose CNTLM). A lot of time has passed since then ... At first it turned out that we used squid, ISA and something else ... Then a secret transparent proxy appeared without any authorization at all. But I still use CNTLM.
So, for starters, I will give the advantages of CNTLM compared to NTLMAPS:
How can this solution be useful?
This is just a list of those applications that came to my mind. I am sure that many will be able to come up with something else.
Under Windows, we are offered an installer that will do everything well itself: it will create a service and unpack the files to the right place.
However, hands still have to work.
Since CNTLM uses Cygwin, which defaults to events in the eventlog, we have a huge amount of garbage in the Application log (event ID for each HTTP request is Event ID 0 Source Cygwin):
The description for Event ID 0 from source Cygwin cannot be found. This is not a problem. You can install or repair the component on the local computer.
If you had been saved with the event.
The following information was included with the event:
127.0.0.1 GET s.4pda.ru/forum/style_emoticons/default/thank_you.gif
With this, of course, you can live, but it’s quite difficult to find something really useful in the log.
If someone tells you an elegant solution, I will be grateful.
The only thing that has occurred to me is to remove all syslog () calls from source.
Fig. 1. Check the request execution time by wget. Please note that the time of the 1st and subsequent queries when using NTLMAPS is almost the same (~ 2 seconds). In the case of CNTLM - the 1st request is executed 5 times faster, the next - already 15 times - caching of connections is evident.
Fig.2. We look at the consumption of CPU and RAM with 50 parallel connections.
- A couple of years ago, I got a job at a fairly large company, where I met a proxy in general and a proxy with authorization in particular and learned about Opera jambs in such an environment
- Admins force us to change the password in the domain \ proxy often enough
- There was no similar article on Habré :) - I hope that this info will be useful to someone
Prehistory
Scattering my things in a new workplace and getting a computer at my disposal, I immediately began to litter it with my usual set of software, which, of course, included Opera.
Not having had time to rejoice in the new and powerful computer that the boss gave me, I found that Opera forces me to enter the proxy login / password for each of the open tabs ...
At first it just surprised me, but when I noticed that
')
Uncle Google told me a lot of interesting and new things for me then on this topic ... and how long Opera Opera users have been complaining about it for a long time, and how it is elementary to be repaired by installing some kind of “fox” :)
In addition, I realized that there is NTLM authentication, and that Opera is not very friendly with it.
The newly minted colleagues happily advised me not to show off and throw out my "not very popular browser."
BUT. This situation did not suit me, and the desire to change my usual browser somehow did not arise. So I decided to try to find a solution to this annoying problem (of course, in my free time).
Search solutions
Most of the recommendations boiled down to the fact that you need to tick the EnableNTLM checkbox in Opera (opera: config -> Network -> EnableNTLM).
Unfortunately, in my case, the option did not bring me the desired unity with the browser:
- EnableNTLM = 1 -> get one password request for each tab
- EnableNTLM = 0 -> just one request, but all internal resources that require domain authorization fall off:
I couldn’t find anything more efficient, so I had to try a more radical solution - my own proxy, which will be authorized on the corporate proxy.
Then I found only NTLMAPS .
For a while I used this proxy - in general, it performs its function, but there were some unpleasant moments:
- decent drop in network speed, especially with a large number of simultaneous requests
- quite noticeable load on the CPU
- lack of full-time job opportunities as a service (I had to use srvany additionally)
- the need to store the password in clear form in the config file
- inability to use special characters in the password, etc.
Result and buns
All have probably guessed that there is still a decent and more convenient replacement for NTLMAPS, which I want to tell you about. And her name is CNTLM .
It is this proxy that I have been using at work for the past few years (my Linux-based colleagues also chose CNTLM). A lot of time has passed since then ... At first it turned out that we used squid, ISA and something else ... Then a secret transparent proxy appeared without any authorization at all. But I still use CNTLM.
So, for starters, I will give the advantages of CNTLM compared to NTLMAPS:
- practically (I am afraid to write “absolutely”) an imperceptible drop in speed (see the end of the article)
- no significant load on the CPU and low memory consumption (see the end of the article)
- work in service mode
- ability to store a hash instead of the password itself
- the ability to specify multiple parent proxies at once
- the ability to enable gateway mode, etc.
- the ability to set NoProxy resources (i.e., those for which you do not need to use a proxy at all - eg local resources)
- ...
How can this solution be useful?
- Opera now DOES NOT ask for login \ password - mission accomplished :)
- All software goes to the Internet through CNTLM. When the doomsday comes the day of the password change, it is enough to change it only in the CNTLM config.
Earlier, I had to do this in a bunch of places ... Take for example the computer of a spherical IT specialist in a vacuum: 3 browsers, dropbox, hamachi, teamviewer, miranda, skype, DM, antivirus, kitty, etc. + Many applications that just need an Internet to check for updates.
In addition, after changing the password, all the software continues to be hammered into the Internet with the old password, which leads to a temporary ban on the proxy ... I hope it is already clear - I and my colleagues were not very comfortable). - As it turned out, not all modern programs are able to go to the Internet through a proxy with authorization. CNTLM is very helpful in this situation.
- All the virtual machines and the necessary machines in LAN can also be started up on the Internet via CNTLM (by turning on the gateway mode in the config)
- Let's say the main corporate proxy has the habit of falling regularly. We drive into the config all available proxies and CNTLM will be transparent for us to go through them in the list in case of the failure of the main proxy.
This is just a list of those applications that came to my mind. I am sure that many will be able to come up with something else.
Getting started
Under Windows, we are offered an installer that will do everything well itself: it will create a service and unpack the files to the right place.
However, hands still have to work.
- We drive in our data in % PROGRAMFILES% \ Cntlm \ cntlm.ini.
In general, we are interested in the following parameters:
Username -> our proxy or domain login
Domain -> domain name
Proxy -> IP address \ parent proxy name + port
Listen -> local port where CNTLM will wait for us with open arms
We specify the necessary data and restart the CNTLM service. - Find out the details of the "dialect" of the corporate proxy and drive the password \ hash into the desired config parameter.
This info can be pulled from admins, but you can try to resolve this issue using CNTLM. To do this, run CNTLM with the -I and -M keys and the address of any external site:cntlm.exe -I -M ya.ru
, we drive in the password with our hands and see something like this output:Auth NTLMv2
PassNTLMv2 4AC6525378DF8C69CF6B6234532943AC
This shows that NTLMv2 is used. In addition, CNTLM immediately shows us the hash of the entered password.
So we got the last missing parameter PassNTLMv2 .
We insert it into the CNTLM config and restart the service. - We drive in the browser \ ICQ \ ... proxy localhost: X, where X is our local port specified in the config file.
A spoon of tar
Since CNTLM uses Cygwin, which defaults to events in the eventlog, we have a huge amount of garbage in the Application log (event ID for each HTTP request is Event ID 0 Source Cygwin):
The description for Event ID 0 from source Cygwin cannot be found. This is not a problem. You can install or repair the component on the local computer.
If you had been saved with the event.
The following information was included with the event:
127.0.0.1 GET s.4pda.ru/forum/style_emoticons/default/thank_you.gif
With this, of course, you can live, but it’s quite difficult to find something really useful in the log.
If someone tells you an elegant solution, I will be grateful.
The only thing that has occurred to me is to remove all syslog () calls from source.
PS
I cite the promised performance comparison with NTLMAPS (this data was previously listed on the CNTLM website, but was recently removed).Fig. 1. Check the request execution time by wget. Please note that the time of the 1st and subsequent queries when using NTLMAPS is almost the same (~ 2 seconds). In the case of CNTLM - the 1st request is executed 5 times faster, the next - already 15 times - caching of connections is evident.
Fig.2. We look at the consumption of CPU and RAM with 50 parallel connections.
Source: https://habr.com/ru/post/138699/
All Articles